PEAP Machine Auth without NTLM or LDAP

Phil Mayers p.mayers at imperial.ac.uk
Mon Jan 30 14:25:21 CET 2006


Sayantan Bhowmick wrote:
> HI,
>     I am trying a similar setup with some variation. 
> 
>> If there is no PDC, there's no domain, so there *is* no machine
> account.
> 
> I have setup a Samba PDC and am using Novell eDirectory as the back-end
> store. In this scenario is it possible to perform PEAP-MSCHAPv2 machine
> authentication by adding the WinXP machine to the Samba PDC and without
> using ntlm_auth. Any help will be much appreciated.

Maybe. It's not a common use-case.

There should be an account in the domain of MACHINENAME$ - it should 
have an ntPassword LDAP attribute (or whatever it's called in your 
schema). If you setup the FreeRadius LDAP module to correctly extract 
the ntPassword attribute and add it as an NT-Password configure item, I 
don't see any reason the FreeRadius ms-chap module wouldn't work.

So, something like:

modules {
   mschap {
   }
   ldap {
     # configure LDAP here
   }
}
authorize {
   preprocess
   mschap
   eap
   ldap
}
authenticate {
   Auth-Type MS-CHAP {
     mschap
   }
   eap
}

The "configure LDAP here" should be fairly straightforward - read the 
default configuration and unless you have a non-standard setup things 
should work.

Things you might have to alter:

  1. If your LDAP schema puts the NT hash in an attribute other than 
ntPassword, edit the "ldap.attrmap" file
  2. If your LDAP schema does not contain the ntPassword but uses the 
Novell eDir "universal password" stuff (I'm not sure how that would work 
as a samba backend, so I doubt it) read the comments about setting up 
eDir in the default radiusd.conf

Other possible issues - the machine may announce itself as 
"HOST/MACHINENAME" in which case you need to fix that - see posts on the 
mailing list about using the "hints" file to strip the host/ and append 
a $ but I can't find them because the FreeRadius archives are 
unsearchable (every "help me" post with FR debug output contains those 
strings!)

> 
> 
> Regards,
> -Sayantan
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list